On Nov 22, 2006, at 12:25 PM, Hallam-Baker, Phillip wrote:
From: Douglas Otis [mailto:[EMAIL PROTECTED]
This presumes bad actors are blocked by an easily defeated
scheme. Guidance offered by SPF suggests the numbers blocked is
less than 3%. In addition, blocking is not as black and white as
you suggest. What happens when someone sends a message to a
mailing list?
This presupposes that the issue is blocking rather than cost control.
Making millions of unanswered queries will increase costs.
Spam filtering is a real cost. AOL, Gmail, Hotmail, Yahoo all use a
very significant amount of electricity feeding machines whose sole
purpose is spam control.
It seems to be bad advice to suggest MTAs should scan for records
that seldom exist, where then only a small percentage that are
published are also "actionable". This is not something that should
be done for every message. The common strategy is to petition
providers for specific treatment. The financial industry could
create their own lists and guidelines. Part of this effort could
consolidate local part addresses and identifiers of transactional email.
Large providers commonly white-list "okay" domains known to be either
large, or small but sending bulk. However, DKIM allows white-listing
to be abused, especially in the case of large domains. : (
There should be a safe method established that associates signing
domains with SMTP clients to permit safe white-listing using DKIM.
Composing white-lists and lists of financial institutions agreeing to
specific practices will save a substantial number of joule/seconds
and carbon emissions. An authorization record published by joe-
random domain instead will do the opposite.
If we assume that 30% of the market is those three providers then
9% of the emails sent are going to be internal between just those 3
email providers.
It seems this small amount of information could be contained within a
short list, thereby saving wasted cycles looking for records that do
not exist.
If we assume that the email bill for each email provider's spam
control is $1 million a month, the ability to whitelist email sent
within just that group translates to approximately $1 million per
provider per year in electricity saved alone.
Your figures do not pay for the network resources and IO limited
machines required to support the slew of queries that are almost
always returning nothing. : (
That is not a bad ROI at all. and reduced carbon emissions.
DKIM still requires a method to protect the use of the signature for
white-listing large domains. This can be done with a single DNS
transaction that associates the signing domain with the SMTP client.
This would be done only when the domain is already white-listed to
ensure a message is not being replayed by some unknown third-party.
An authorization record does nothing to enable the safe use of the
DKIM signature for white-listing.
Of course the senders are not stupid and they will avoid using
those domains to send spam to if they know that checking is in
place. So the only spams that are getting caught are going to be
from the stupid spammers.
DKIM can not prevent spam! Stopping the phishing attempts is best
done by making phishing unsuccessful. An MUA that only annotates
DKIM signed messages found in the recipient's address-book is the
best way to stop this traffic. An alternative might be to annotate
those messages found on an industry white-list. Relying upon an
authorization scheme is dangerous for the recipient told an
authorization scheme offers them protection, that is in fact worthless.
Checking a digital signature is much less expensive than any of the
effective spam checking schemes I know of. The ROI is not in the
mail you block, its in the mail you whitelist.
Yes and no. There still must be a reasonable way to prevent replay
abuse.
If you are a legitimate email sender you will find that adding a
DKIM signature to your message is cheaper than constantly dealling
with the major ISPs to get your mail server whitelisted. It also
means that you can be protected if you happen to find yourself co-
located on the same box as a spammer without your knowledge.
At this time, that will not likely true. Currently there is no means
to associate a message envelope with that of the DKIM signature.
Reputations services will be taking a substantial risk accruing
unsolicited messages against the DKIM signature, or using the DKIM
signature for white-listing without a means to confirm the message
was intended to be sent by the signing domain. Once again the SMTP
client association can make this assertion true.
DKIM base is not about increasing rejects, it is about reducing the
cost of accepts.
Perhaps. DKIM seems like a good idea that still has a few loose ends.
DKIM policy is about deterring impersonation. The actual number of
rejects is not significant. In fact you want it to be low rather
than high.
Agreed. Here annotation can play a major role in changing the
behavior of bad actors instead.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html
